General Controls

General controls
Policies and procedures
General
relating to many applications controls

support the effective functioning of application controls

by helping to ensure the continued proper operation of information system

• Covers
o Mainframe
o PC
o End-user environment

Evaluate general controls – before – reliance on application controls

3
Computerized environment Risks
Risks Risks
Risks

Risks
Risks

General controls Risks

Risks
Application Application
controls controls
Risks
Application
controls Application
Risks controls
Application
Application
controls Risks
controls

Risks

B
General controls
System maintenance
controls
General
controls

Business continuity and Organizational and

recovery control management controls

System development and

implementation controls
• Systems developed in-house
• Purchased software
Eg: The Accounting system Access and security
System software controls controls

Computer operating
controls
 General controls
General controls
Application
control -
inventory

Application Application control

control – - debtors
purchases and
creditors Application control
– PPE

Application control
- payroll

General controls General controls

6
Control risk in an IT environment
General
• IT systems pose specific risks, including controls
o Programs processing data inaccurately
o Inaccurate data
o Failure to make necessary changes to systems
o Unauthorized access to data
o Inappropriate manual intervention
o Breakdown in segregation of duties
o Unauthorized changes to data files
o Unauthorized changes to systems or programs
o Loss of data or inability to access data as required

7
General Controls (The 7 Categories of General Controls)

Comprise of the following:

System development and implementation controls

System maintenance controls

Organisational and management controls

Access controls to data and programs

Computer operating controls

System software controls

Business continuity controls

8
General controls
System maintenance
controls
General
controls

Business continuity
and recovery control Organizational and
management controls

System development and implementation

controls • System conversion
• Systems developed in-house • System documentation
• Purchased software
Access and
System software security controls
controls

Computer operating
controls
System developed in-house
To implement controls designed to ensure
General
controls
1. A new system is
authorized and designed
in an effective manner
to meet the users’ needs
2. The system is properly developed and implemented

10
1. System Development and Implementation Controls

These are the checks we do when we're building or installing a

new system.
✅ Why? To make sure it works properly and doesn't have errors.

📌 Example: Testing a new accounting app before using it in real

life.

11
Purchased software
When purchasing software
General
• controls
The user has little control over the
o Specifications
o development
o testing

• Emphasis is thus placed on determining whether or not the package meets the users’
requirements
Control must also be exercised over implementation and testing

12
System maintenance (system change controls)
General
System maintenance = changes to a system after implementation, controls
= purpose of
• correcting errors or
• to meet changing needs of users

= to ensure changes are

• authorized
• made in an effective manner

13
🔧 2. System Maintenance Controls

These are the steps we follow when we update or fix a system.

✅ Why? So that updates don’t break things or cause problems.

📌 Example: Checking a software update on a test computer before

updating everyone’s.

14
Organizational and management controls
General
Implement controls designed to controls
• establish an organizational framework over IT activities and
• ensure that basic principles are met. Example
o Division of duties,
o Review and
o Virus protection are met

15
🏢 3. Organisational and Management Controls

These are rules and responsibilities set by the company to manage IT

safely.
✅ Why? So that everyone knows who is in charge and what rules to follow.

📌 Example: Having an IT manager and a company policy that says how to

handle data and minimizes the risks in ensuring that the correct person
carries out the function correctly .

16
Organizational and management controls
General
1. Levels of responsibilities controls
Top management
• Committed to controls
Board of directors • Implement management
controls (e.g. internal audit)
Computer steering
• Board representation committee
• Responsible for
o Policies
Chief Executive • Represent IT
o Overall control of
Officer department on BOD
IT activities • Report to senior
management
COO CFO CIO

• Report to
IT IT senior
manager manager management

17
General controls
System maintenance
controls
General
controls

Business continuity and Organizational and

recovery control management controls

Strategic management
• Systems developed in-house
• Purchased software
• Service providers Access and security
System software controls controls

B
Computer operating
controls Programmed Physical
controls controls
Access and security controls
General
Procedures designed to controls

• Provide security for the IT system

• Restrict access to IT systems

19
🔐 4. Access Controls to Data and Programs

These control who can see or use certain information.

✅ Why? To protect sensitive data from being seen or
changed by the wrong person.

📌 Example: Only HR can access staff salary files.

20
Computer operating controls
General
Implement controls to controls
• Control the proper organization of the system
• Ensure that programmed procedures are applied correctly and consistently during
processing of data
• Include:
o Functions by operating system
o Functions by user
o These are the everyday checks and tasks that help keep a computer system running
smoothly and safely.

21
💻 5. Computer Operating Controls

These are daily tasks and checks to make sure computers are
working well.
✅ Why? To avoid crashes, data loss, or system errors.

📌 Example: Making sure the system backs up data every night.

22
System software controls
General
Implement controls controls
• Over programs which do not process data (e.g. access control programs)
• To ensure that they are installed/developed and maintained
• In an authorized and effective manner
• Access to system software is limited

23
⚙️6. System Software Controls

These protect the software that runs the computer itself, like Windows or macOS.
✅ Why? To stop people from installing harmful programs or changing system settings.

📌 Example: Only IT staff can install system updates or antivirus software.

24
Business continuity and recovery controls
General
Implement controls controls
• Designed to ensure the continuity of processing
• By
o Preventing system interruption
o Limiting damage and interruption to a minimum

25
🔄 7. Business Continuity Controls

These are plans to keep things running if something goes wrong, like a
cyberattack or disaster.
✅ Why? So the business can recover quickly and not lose important data.

📌 Example: Keeping backup files in the cloud in case the server is damaged.

26